
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Archive of security issues &#8212; Django 3.2.6.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django internals" href="../internals/index.html" />
    <link rel="prev" title="Django version 0.95 release notes" href="0.95.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.6.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="0.95.html" title="Django version 0.95 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="../internals/index.html" title="Django internals">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-security">
            
  <div class="section" id="s-archive-of-security-issues">
<span id="archive-of-security-issues"></span><h1>Archive of security issues<a class="headerlink" href="#archive-of-security-issues" title="永久链接至标题">¶</a></h1>
<p>Django's development team is strongly committed to responsible
reporting and disclosure of security-related issues, as outlined in
<a class="reference internal" href="../internals/security.html"><span class="doc">Django's security policies</span></a>.</p>
<p>As part of that commitment, we maintain the following historical list
of issues which have been fixed and disclosed. For each issue, the
list below includes the date, a brief description, the <a class="reference external" href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE identifier</a>
if applicable, a list of affected versions, a link to the full
disclosure and links to the appropriate patch(es).</p>
<p>Some important caveats apply to this information:</p>
<ul class="simple">
<li>Lists of affected versions include only those versions of Django
which had stable, security-supported releases at the time of
disclosure. This means older versions (whose security support had
expired) and versions which were in pre-release (alpha/beta/RC)
states at the time of disclosure may have been affected, but are not
listed.</li>
<li>The Django project has on occasion issued security advisories,
pointing out potential security problems which can arise from
improper configuration or from other issues outside of Django
itself. Some of these advisories have received CVEs; when that is
the case, they are listed here, but as they have no accompanying
patches or releases, only the description, disclosure and CVE will
be listed.</li>
</ul>
<div class="section" id="s-issues-under-django-s-security-process">
<span id="issues-under-django-s-security-process"></span><h2>Issues under Django's security process<a class="headerlink" href="#issues-under-django-s-security-process" title="永久链接至标题">¶</a></h2>
<p>All security issues have been handled under versions of Django's security
process. These are listed below.</p>
<div class="section" id="s-july-1-2021-cve-2021-35042">
<span id="july-1-2021-cve-2021-35042"></span><h3>July 1, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-35042">CVE-2021-35042</a><a class="headerlink" href="#july-1-2021-cve-2021-35042" title="永久链接至标题">¶</a></h3>
<p>Potential SQL injection via unsanitized <code class="docutils literal notranslate"><span class="pre">QuerySet.order_by()</span></code> input. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/jul/01/security-releases/">Full
description</a></p>
<div class="section" id="s-versions-affected">
<span id="versions-affected"></span><h4>Versions affected<a class="headerlink" href="#versions-affected" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/a34a5f724c5d5adb2109374ba3989ebb7b11f81f">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/0bd57a879a0d54920bb9038a732645fb917040e9">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-june-2-2021-cve-2021-33203">
<span id="june-2-2021-cve-2021-33203"></span><h3>June 2, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-33203">CVE-2021-33203</a><a class="headerlink" href="#june-2-2021-cve-2021-33203" title="永久链接至标题">¶</a></h3>
<p>Potential directory traversal via <code class="docutils literal notranslate"><span class="pre">admindocs</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/jun/02/security-releases/">Full description</a></p>
<div class="section" id="s-id1">
<span id="id1"></span><h4>Versions affected<a class="headerlink" href="#id1" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/20c67a0693c4ede2b09af02574823485e82e4c8f">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-june-2-2021-cve-2021-33571">
<span id="june-2-2021-cve-2021-33571"></span><h3>June 2, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-33571">CVE-2021-33571</a><a class="headerlink" href="#june-2-2021-cve-2021-33571" title="永久链接至标题">¶</a></h3>
<p>Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted
leading zeros in IPv4 addresses. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/jun/02/security-releases/">Full description</a></p>
<div class="section" id="s-id2">
<span id="id2"></span><h4>Versions affected<a class="headerlink" href="#id2" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-6-2021-cve-2021-32052">
<span id="may-6-2021-cve-2021-32052"></span><h3>May 6, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-32052">CVE-2021-32052</a><a class="headerlink" href="#may-6-2021-cve-2021-32052" title="永久链接至标题">¶</a></h3>
<p>Header injection possibility since <code class="docutils literal notranslate"><span class="pre">URLValidator</span></code> accepted newlines in input
on Python 3.9.5+. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/may/06/security-releases/">Full description</a></p>
<div class="section" id="s-id3">
<span id="id3"></span><h4>Versions affected<a class="headerlink" href="#id3" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/2d2c1d0c97832860fbd6597977e2aae17dd7e5b2">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/afb23f5929944a407e4990edef1c7806a94c9879">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/d9594c4ea57b6309d93879805302cec9ae9f23ff">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-4-2021-cve-2021-31542">
<span id="may-4-2021-cve-2021-31542"></span><h3>May 4, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-31542">CVE-2021-31542</a><a class="headerlink" href="#may-4-2021-cve-2021-31542" title="永久链接至标题">¶</a></h3>
<p>Potential directory-traversal via uploaded files. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/may/04/security-releases/">Full description</a></p>
<div class="section" id="s-id4">
<span id="id4"></span><h4>Versions affected<a class="headerlink" href="#id4" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-6-2021-cve-2021-28658">
<span id="april-6-2021-cve-2021-28658"></span><h3>April 6, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-28658">CVE-2021-28658</a><a class="headerlink" href="#april-6-2021-cve-2021-28658" title="永久链接至标题">¶</a></h3>
<p>Potential directory-traversal via uploaded files. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/apr/06/security-releases/">Full description</a></p>
<div class="section" id="s-id5">
<span id="id5"></span><h4>Versions affected<a class="headerlink" href="#id5" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/2820fd1be5dfccbf1216c3845fad8580502473e1">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/cca0d98118cccf9ae0c6dcf2d6c57fc50469fbf0">(patch)</a></li>
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/e7fba62248f604c76da4f23dcf1db4a57b0808ea">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2021-cve-2021-23336">
<span id="february-19-2021-cve-2021-23336"></span><h3>February 19, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-23336">CVE-2021-23336</a><a class="headerlink" href="#february-19-2021-cve-2021-23336" title="永久链接至标题">¶</a></h3>
<p>Web cache poisoning via <code class="docutils literal notranslate"><span class="pre">django.utils.http.limited_parse_qsl()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/feb/19/security-releases/">Full
description</a></p>
<div class="section" id="s-id6">
<span id="id6"></span><h4>Versions affected<a class="headerlink" href="#id6" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.2 <a class="reference external" href="https://github.com/django/django/commit/be8237c7cce24b06aabde0b97afce98ddabbe3b6">(patch)</a></li>
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/8f6d431b08cbb418d9144b976e7b972546607851">(patch)</a></li>
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/326a926beef869d3341bc9ef737887f0449b6b71">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/fd6b6afd5959b638c62dbf4839ccff97e7f7dfda">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-1-2021-cve-2021-3281">
<span id="february-1-2021-cve-2021-3281"></span><h3>February 1, 2021 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-3281">CVE-2021-3281</a><a class="headerlink" href="#february-1-2021-cve-2021-3281" title="永久链接至标题">¶</a></h3>
<p>Potential directory-traversal via <code class="docutils literal notranslate"><span class="pre">archive.extract()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2021/feb/01/security-releases/">Full description</a></p>
<div class="section" id="s-id7">
<span id="id7"></span><h4>Versions affected<a class="headerlink" href="#id7" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624">(patch)</a></li>
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-1-2020-cve-2020-24584">
<span id="september-1-2020-cve-2020-24584"></span><h3>September 1, 2020 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2020-24584">CVE-2020-24584</a><a class="headerlink" href="#september-1-2020-cve-2020-24584" title="永久链接至标题">¶</a></h3>
<p>Permission escalation in intermediate-level directories of the file system
cache on Python 3.7+. <a class="reference external" href="https://www.djangoproject.com/weblog/2020/sep/01/security-releases/">Full description</a></p>
<div class="section" id="s-id8">
<span id="id8"></span><h4>Versions affected<a class="headerlink" href="#id8" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b">(patch)</a></li>
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/cdb367c92a0ba72ddc0cbd13ff42b0e6df709554">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-1-2020-cve-2020-24583">
<span id="september-1-2020-cve-2020-24583"></span><h3>September 1, 2020 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2020-24583">CVE-2020-24583</a><a class="headerlink" href="#september-1-2020-cve-2020-24583" title="永久链接至标题">¶</a></h3>
<p>Incorrect permissions on intermediate-level directories on Python 3.7+. <a class="reference external" href="https://www.djangoproject.com/weblog/2020/sep/01/security-releases/">Full
description</a></p>
<div class="section" id="s-id9">
<span id="id9"></span><h4>Versions affected<a class="headerlink" href="#id9" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.1 <a class="reference external" href="https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584">(patch)</a></li>
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/08892bffd275c79ee1f8f67639eb170aaaf1181e">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/375657a71c889c588f723469bd868bd1d40c369f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-june-3-2020-cve-2020-13596">
<span id="june-3-2020-cve-2020-13596"></span><h3>June 3, 2020 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2020-13596">CVE-2020-13596</a><a class="headerlink" href="#june-3-2020-cve-2020-13596" title="永久链接至标题">¶</a></h3>
<p>Possible XSS via admin <code class="docutils literal notranslate"><span class="pre">ForeignKeyRawIdWidget</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2020/jun/03/security-releases/">Full description</a></p>
<div class="section" id="s-id10">
<span id="id10"></span><h4>Versions affected<a class="headerlink" href="#id10" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-june-3-2020-cve-2020-13254">
<span id="june-3-2020-cve-2020-13254"></span><h3>June 3, 2020 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2020-13254">CVE-2020-13254</a><a class="headerlink" href="#june-3-2020-cve-2020-13254" title="永久链接至标题">¶</a></h3>
<p>Potential data leakage via malformed memcached keys. <a class="reference external" href="https://www.djangoproject.com/weblog/2020/jun/03/security-releases/">Full description</a></p>
<div class="section" id="s-id11">
<span id="id11"></span><h4>Versions affected<a class="headerlink" href="#id11" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-4-2020-cve-2020-9402">
<span id="march-4-2020-cve-2020-9402"></span><h3>March 4, 2020 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2020-9402">CVE-2020-9402</a><a class="headerlink" href="#march-4-2020-cve-2020-9402" title="永久链接至标题">¶</a></h3>
<p>Potential SQL injection via <code class="docutils literal notranslate"><span class="pre">tolerance</span></code> parameter in GIS functions and
aggregates on Oracle. <a class="reference external" href="https://www.djangoproject.com/weblog/2020/mar/04/security-releases/">Full description</a></p>
<div class="section" id="s-id12">
<span id="id12"></span><h4>Versions affected<a class="headerlink" href="#id12" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/26a5cf834526e291db00385dd33d319b8271fc4c">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/fe886a3b58a93cfbe8864b485f93cb6d426cd1f2">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/02d97f3c9a88adc890047996e5606180bd1c6166">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-3-2020-cve-2020-7471">
<span id="february-3-2020-cve-2020-7471"></span><h3>February 3, 2020 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2020-7471">CVE-2020-7471</a><a class="headerlink" href="#february-3-2020-cve-2020-7471" title="永久链接至标题">¶</a></h3>
<p>Potential SQL injection via <code class="docutils literal notranslate"><span class="pre">StringAgg(delimiter)</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2020/feb/03/security-releases/">Full description</a></p>
<div class="section" id="s-id13">
<span id="id13"></span><h4>Versions affected<a class="headerlink" href="#id13" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-18-2019-cve-2019-19844">
<span id="december-18-2019-cve-2019-19844"></span><h3>December 18, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-19844">CVE-2019-19844</a><a class="headerlink" href="#december-18-2019-cve-2019-19844" title="永久链接至标题">¶</a></h3>
<p>Potential account hijack via password reset form. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/dec/18/security-releases/">Full description</a></p>
<div class="section" id="s-id14">
<span id="id14"></span><h4>Versions affected<a class="headerlink" href="#id14" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-2-2019-cve-2019-19118">
<span id="december-2-2019-cve-2019-19118"></span><h3>December 2, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-19118">CVE-2019-19118</a><a class="headerlink" href="#december-2-2019-cve-2019-19118" title="永久链接至标题">¶</a></h3>
<p>Privilege escalation in the Django admin. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/dec/02/security-releases/">Full description</a></p>
<div class="section" id="s-id15">
<span id="id15"></span><h4>Versions affected<a class="headerlink" href="#id15" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 3.0 <a class="reference external" href="https://github.com/django/django/commit/092cd66cf3c3e175acce698d6ca2012068d878fa">(patch)</a></li>
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-1-2019-cve-2019-14235">
<span id="august-1-2019-cve-2019-14235"></span><h3>August 1, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-14235">CVE-2019-14235</a><a class="headerlink" href="#august-1-2019-cve-2019-14235" title="永久链接至标题">¶</a></h3>
<p>Potential memory exhaustion in <code class="docutils literal notranslate"><span class="pre">django.utils.encoding.uri_to_iri()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/aug/01/security-releases/">Full
description</a></p>
<div class="section" id="s-id16">
<span id="id16"></span><h4>Versions affected<a class="headerlink" href="#id16" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/cf694e6852b0da7799f8b53f1fb2f7d20cf17534">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/5d50a2e5fa36ad23ab532fc54cf4073de84b3306">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-1-2019-cve-2019-14234">
<span id="august-1-2019-cve-2019-14234"></span><h3>August 1, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-14234">CVE-2019-14234</a><a class="headerlink" href="#august-1-2019-cve-2019-14234" title="永久链接至标题">¶</a></h3>
<p>SQL injection possibility in key and index lookups for
<code class="docutils literal notranslate"><span class="pre">JSONField</span></code>/<code class="docutils literal notranslate"><span class="pre">HStoreField</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/aug/01/security-releases/">Full description</a></p>
<div class="section" id="s-id17">
<span id="id17"></span><h4>Versions affected<a class="headerlink" href="#id17" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/f74b3ae3628c26e1b4f8db3d13a91d52a833a975">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-1-2019-cve-2019-14233">
<span id="august-1-2019-cve-2019-14233"></span><h3>August 1, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-14233">CVE-2019-14233</a><a class="headerlink" href="#august-1-2019-cve-2019-14233" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">strip_tags()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/aug/01/security-releases/">Full description</a></p>
<div class="section" id="s-id18">
<span id="id18"></span><h4>Versions affected<a class="headerlink" href="#id18" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/5ff8e791148bd451180124d76a55cb2b2b9556eb">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-1-2019-cve-2019-14232">
<span id="august-1-2019-cve-2019-14232"></span><h3>August 1, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-14232">CVE-2019-14232</a><a class="headerlink" href="#august-1-2019-cve-2019-14232" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">django.utils.text.Truncator</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/aug/01/security-releases/">Full
description</a></p>
<div class="section" id="s-id19">
<span id="id19"></span><h4>Versions affected<a class="headerlink" href="#id19" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/c3289717c6f21a8cf23daff1c78c0c014b94041f">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/c23723a1551340cc7d3126f04fcfd178fa224193">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-1-2019-cve-2019-12781">
<span id="july-1-2019-cve-2019-12781"></span><h3>July 1, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-12781">CVE-2019-12781</a><a class="headerlink" href="#july-1-2019-cve-2019-12781" title="永久链接至标题">¶</a></h3>
<p>Incorrect HTTP detection with reverse-proxy connecting via HTTPS. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/jul/01/security-releases/">Full
description</a></p>
<div class="section" id="s-id20">
<span id="id20"></span><h4>Versions affected<a class="headerlink" href="#id20" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/1e40f427bb8d0fb37cc9f830096a97c36c97af6f">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-june-3-2019-cve-2019-12308">
<span id="june-3-2019-cve-2019-12308"></span><h3>June 3, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-12308">CVE-2019-12308</a><a class="headerlink" href="#june-3-2019-cve-2019-12308" title="永久链接至标题">¶</a></h3>
<p>XSS via &quot;Current URL&quot; link generated by <code class="docutils literal notranslate"><span class="pre">AdminURLFieldWidget</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/jun/03/security-releases/">Full
description</a></p>
<div class="section" id="s-id21">
<span id="id21"></span><h4>Versions affected<a class="headerlink" href="#id21" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-june-3-2019-cve-2019-11358">
<span id="june-3-2019-cve-2019-11358"></span><h3>June 3, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-11358">CVE-2019-11358</a><a class="headerlink" href="#june-3-2019-cve-2019-11358" title="永久链接至标题">¶</a></h3>
<p>Prototype pollution in bundled jQuery. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/jun/03/security-releases/">Full description</a></p>
<div class="section" id="s-id22">
<span id="id22"></span><h4>Versions affected<a class="headerlink" href="#id22" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.2 <a class="reference external" href="https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad">(patch)</a></li>
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-11-2019-cve-2019-6975">
<span id="february-11-2019-cve-2019-6975"></span><h3>February 11, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-6975">CVE-2019-6975</a><a class="headerlink" href="#february-11-2019-cve-2019-6975" title="永久链接至标题">¶</a></h3>
<p>Memory exhaustion in <code class="docutils literal notranslate"><span class="pre">django.utils.numberformat.format()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/feb/11/security-releases/">Full description</a></p>
<div class="section" id="s-id23">
<span id="id23"></span><h4>Versions affected<a class="headerlink" href="#id23" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3">(patch)</a></li>
<li>Django 2.0 <a class="reference external" href="https://github.com/django/django/commit/1f42f82566c9d2d73aff1c42790d6b1b243f7676">(patch</a> and
<a class="reference external" href="https://github.com/django/django/commit/392e040647403fc8007708d52ce01d915b014849">correction)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-january-4-2019-cve-2019-3498">
<span id="january-4-2019-cve-2019-3498"></span><h3>January 4, 2019 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2019-3498">CVE-2019-3498</a><a class="headerlink" href="#january-4-2019-cve-2019-3498" title="永久链接至标题">¶</a></h3>
<p>Content spoofing possibility in the default 404 page. <a class="reference external" href="https://www.djangoproject.com/weblog/2019/jan/04/security-releases/">Full description</a></p>
<div class="section" id="s-id24">
<span id="id24"></span><h4>Versions affected<a class="headerlink" href="#id24" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b">(patch)</a></li>
<li>Django 2.0 <a class="reference external" href="https://github.com/django/django/commit/9f4ed7c94c62e21644ef5115e393ac426b886f2e">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-october-1-2018-cve-2018-16984">
<span id="october-1-2018-cve-2018-16984"></span><h3>October 1, 2018 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2018-16984">CVE-2018-16984</a><a class="headerlink" href="#october-1-2018-cve-2018-16984" title="永久链接至标题">¶</a></h3>
<p>Password hash disclosure to &quot;view only&quot; admin users. <a class="reference external" href="https://www.djangoproject.com/weblog/2018/oct/01/security-release/">Full description</a></p>
<div class="section" id="s-id25">
<span id="id25"></span><h4>Versions affected<a class="headerlink" href="#id25" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/c4bd5b597e0aa2432e4c867b86650f18af117851">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-1-2018-cve-2018-14574">
<span id="august-1-2018-cve-2018-14574"></span><h3>August 1, 2018 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2018-14574">CVE-2018-14574</a><a class="headerlink" href="#august-1-2018-cve-2018-14574" title="永久链接至标题">¶</a></h3>
<p>Open redirect possibility in <code class="docutils literal notranslate"><span class="pre">CommonMiddleware</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2018/aug/01/security-releases/">Full description</a></p>
<div class="section" id="s-id26">
<span id="id26"></span><h4>Versions affected<a class="headerlink" href="#id26" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.1 <a class="reference external" href="https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c">(patch)</a></li>
<li>Django 2.0 <a class="reference external" href="https://github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-6-2018-cve-2018-7537">
<span id="march-6-2018-cve-2018-7537"></span><h3>March 6, 2018 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2018-7537">CVE-2018-7537</a><a class="headerlink" href="#march-6-2018-cve-2018-7537" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">truncatechars_html</span></code> and
<code class="docutils literal notranslate"><span class="pre">truncatewords_html</span></code> template filters. <a class="reference external" href="https://www.djangoproject.com/weblog/2018/mar/06/security-releases/">Full description</a></p>
<div class="section" id="s-id27">
<span id="id27"></span><h4>Versions affected<a class="headerlink" href="#id27" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.0 <a class="reference external" href="https://github.com/django/django/commit/94c5da1d17a6b0d378866c66b605102c19f7988c">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/a91436360b79a6ff995c3e5018bcc666dfaf1539">(patch)</a></li>
<li>Django 1.8  <a class="reference external" href="https://github.com/django/django/commit/d17974a287a6ea2e361daff88fcc004cbd6835fa">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-6-2018-cve-2018-7536">
<span id="march-6-2018-cve-2018-7536"></span><h3>March 6, 2018 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2018-7536">CVE-2018-7536</a><a class="headerlink" href="#march-6-2018-cve-2018-7536" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">urlize</span></code> and <code class="docutils literal notranslate"><span class="pre">urlizetrunc</span></code> template
filters. <a class="reference external" href="https://www.djangoproject.com/weblog/2018/mar/06/security-releases/">Full description</a></p>
<div class="section" id="s-id28">
<span id="id28"></span><h4>Versions affected<a class="headerlink" href="#id28" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.0 <a class="reference external" href="https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16">(patch)</a></li>
<li>Django 1.8  <a class="reference external" href="https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-1-2018-cve-2018-6188">
<span id="february-1-2018-cve-2018-6188"></span><h3>February 1, 2018 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2018-6188">CVE-2018-6188</a><a class="headerlink" href="#february-1-2018-cve-2018-6188" title="永久链接至标题">¶</a></h3>
<p>Information leakage in <code class="docutils literal notranslate"><span class="pre">AuthenticationForm</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2018/feb/01/security-releases/">Full description</a></p>
<div class="section" id="s-id29">
<span id="id29"></span><h4>Versions affected<a class="headerlink" href="#id29" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 2.0 <a class="reference external" href="https://github.com/django/django/commit/c37bb28677295f6edda61d8ac461014ef0d3aeb2">(patch)</a></li>
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/57b95fedad5e0b83fc9c81466b7d1751c6427aae">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-5-2017-cve-2017-12794">
<span id="september-5-2017-cve-2017-12794"></span><h3>September 5, 2017 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2017-12794">CVE-2017-12794</a><a class="headerlink" href="#september-5-2017-cve-2017-12794" title="永久链接至标题">¶</a></h3>
<p>Possible XSS in traceback section of technical 500 debug page. <a class="reference external" href="https://www.djangoproject.com/weblog/2017/sep/05/security-releases/">Full
description</a></p>
<div class="section" id="s-id30">
<span id="id30"></span><h4>Versions affected<a class="headerlink" href="#id30" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.11 <a class="reference external" href="https://github.com/django/django/commit/e35a0c56086924f331e9422daa266e907a4784cc">(patch)</a></li>
<li>Django 1.10 <a class="reference external" href="https://github.com/django/django/commit/58e08e80e362db79eb0fd775dc81faad90dca47a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-4-2017-cve-2017-7234">
<span id="april-4-2017-cve-2017-7234"></span><h3>April 4, 2017 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2017-7234">CVE-2017-7234</a><a class="headerlink" href="#april-4-2017-cve-2017-7234" title="永久链接至标题">¶</a></h3>
<p>Open redirect vulnerability in <code class="docutils literal notranslate"><span class="pre">django.views.static.serve()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2017/apr/04/security-releases/">Full
description</a></p>
<div class="section" id="s-id31">
<span id="id31"></span><h4>Versions affected<a class="headerlink" href="#id31" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.10 <a class="reference external" href="https://github.com/django/django/commit/2a9f6ef71b8e23fd267ee2be1be26dde8ab67037">(patch)</a></li>
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/5f1ffb07afc1e59729ce2b283124116d6c0659e4">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/4a6b945dffe8d10e7cec107d93e6efaebfbded29">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-4-2017-cve-2017-7233">
<span id="april-4-2017-cve-2017-7233"></span><h3>April 4, 2017 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2017-7233">CVE-2017-7233</a><a class="headerlink" href="#april-4-2017-cve-2017-7233" title="永久链接至标题">¶</a></h3>
<p>Open redirect and possible XSS attack via user-supplied numeric redirect URLs.
<a class="reference external" href="https://www.djangoproject.com/weblog/2017/apr/04/security-releases/">Full description</a></p>
<div class="section" id="s-id32">
<span id="id32"></span><h4>Versions affected<a class="headerlink" href="#id32" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.10 <a class="reference external" href="https://github.com/django/django/commit/f824655bc2c50b19d2f202d7640785caabc82787">(patch)</a></li>
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/254326cb3682389f55f886804d2c43f7b9f23e4f">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/8339277518c7d8ec280070a780915304654e3b66">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-november-1-2016-cve-2016-9014">
<span id="november-1-2016-cve-2016-9014"></span><h3>November 1, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-9014">CVE-2016-9014</a><a class="headerlink" href="#november-1-2016-cve-2016-9014" title="永久链接至标题">¶</a></h3>
<p>DNS rebinding vulnerability when <code class="docutils literal notranslate"><span class="pre">DEBUG=True</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/nov/01/security-releases/">Full description</a></p>
<div class="section" id="s-id33">
<span id="id33"></span><h4>Versions affected<a class="headerlink" href="#id33" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.10 <a class="reference external" href="https://github.com/django/django/commit/884e113838e5a72b4b0ec9e5e87aa480f6aa4472">(patch)</a></li>
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/45acd6d836895a4c36575f48b3fb36a3dae98d19">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/c401ae9a7dfb1a94a8a61927ed541d6f93089587">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-november-1-2016-cve-2016-9013">
<span id="november-1-2016-cve-2016-9013"></span><h3>November 1, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-9013">CVE-2016-9013</a><a class="headerlink" href="#november-1-2016-cve-2016-9013" title="永久链接至标题">¶</a></h3>
<p>User with hardcoded password created when running tests on Oracle. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/nov/01/security-releases/">Full
description</a></p>
<div class="section" id="s-id34">
<span id="id34"></span><h4>Versions affected<a class="headerlink" href="#id34" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.10 <a class="reference external" href="https://github.com/django/django/commit/34e10720d81b8d407aa14d763b6a7fe8f13b4f2e">(patch)</a></li>
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/4844d86c7728c1a5a3bbce4ad336a8d32304072b">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/70f99952965a430daf69eeb9947079aae535d2d0">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-26-2016-cve-2016-7401">
<span id="september-26-2016-cve-2016-7401"></span><h3>September 26, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-7401">CVE-2016-7401</a><a class="headerlink" href="#september-26-2016-cve-2016-7401" title="永久链接至标题">¶</a></h3>
<p>CSRF protection bypass on a site with Google Analytics. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/sep/26/security-releases/">Full description</a></p>
<div class="section" id="s-id35">
<span id="id35"></span><h4>Versions affected<a class="headerlink" href="#id35" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64a">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-18-2016-cve-2016-6186">
<span id="july-18-2016-cve-2016-6186"></span><h3>July 18, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-6186">CVE-2016-6186</a><a class="headerlink" href="#july-18-2016-cve-2016-6186" title="永久链接至标题">¶</a></h3>
<p>XSS in admin's add/change related popup. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/jul/18/security-releases/">Full description</a></p>
<div class="section" id="s-id36">
<span id="id36"></span><h4>Versions affected<a class="headerlink" href="#id36" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-1-2016-cve-2016-2513">
<span id="march-1-2016-cve-2016-2513"></span><h3>March 1, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-2513">CVE-2016-2513</a><a class="headerlink" href="#march-1-2016-cve-2016-2513" title="永久链接至标题">¶</a></h3>
<p>User enumeration through timing difference on password hasher work factor
upgrade. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/mar/01/security-releases/">Full description</a></p>
<div class="section" id="s-id37">
<span id="id37"></span><h4>Versions affected<a class="headerlink" href="#id37" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/af7d09b0c5c6ab68e629fd9baf736f9dd203b18e">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/f4e6e02f7713a6924d16540be279909ff4091eb6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-1-2016-cve-2016-2512">
<span id="march-1-2016-cve-2016-2512"></span><h3>March 1, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-2512">CVE-2016-2512</a><a class="headerlink" href="#march-1-2016-cve-2016-2512" title="永久链接至标题">¶</a></h3>
<p>Malicious redirect and possible XSS attack via user-supplied redirect URLs
containing basic auth. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/mar/01/security-releases/">Full description</a></p>
<div class="section" id="s-id38">
<span id="id38"></span><h4>Versions affected<a class="headerlink" href="#id38" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/fc6d147a63f89795dbcdecb0559256470fff4380">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-1-2016-cve-2016-2048">
<span id="february-1-2016-cve-2016-2048"></span><h3>February 1, 2016 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2016-2048">CVE-2016-2048</a><a class="headerlink" href="#february-1-2016-cve-2016-2048" title="永久链接至标题">¶</a></h3>
<p>User with &quot;change&quot; but not &quot;add&quot; permission can create objects for
<code class="docutils literal notranslate"><span class="pre">ModelAdmin</span></code>’s with <code class="docutils literal notranslate"><span class="pre">save_as=True</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/">Full description</a></p>
<div class="section" id="s-id39">
<span id="id39"></span><h4>Versions affected<a class="headerlink" href="#id39" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.9 <a class="reference external" href="https://github.com/django/django/commit/adbca5e4db42542575734b8e5d26961c8ada7265">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-november-24-2015-cve-2015-8213">
<span id="november-24-2015-cve-2015-8213"></span><h3>November 24, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-8213">CVE-2015-8213</a><a class="headerlink" href="#november-24-2015-cve-2015-8213" title="永久链接至标题">¶</a></h3>
<p>Settings leak possibility in <code class="docutils literal notranslate"><span class="pre">date</span></code> template filter. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id40">
<span id="id40"></span><h4>Versions affected<a class="headerlink" href="#id40" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-18-2015-cve-2015-5963-cve-2015-5964">
<span id="august-18-2015-cve-2015-5963-cve-2015-5964"></span><h3>August 18, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-5963">CVE-2015-5963</a> / <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-5964">CVE-2015-5964</a><a class="headerlink" href="#august-18-2015-cve-2015-5963-cve-2015-5964" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">logout()</span></code> view by filling session store.
<a class="reference external" href="https://www.djangoproject.com/weblog/2015/aug/18/security-releases/">Full description</a></p>
<div class="section" id="s-id41">
<span id="id41"></span><h4>Versions affected<a class="headerlink" href="#id41" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-8-2015-cve-2015-5145">
<span id="july-8-2015-cve-2015-5145"></span><h3>July 8, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-5145">CVE-2015-5145</a><a class="headerlink" href="#july-8-2015-cve-2015-5145" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility in URL validation. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jul/08/security-releases/">Full description</a></p>
<div class="section" id="s-id42">
<span id="id42"></span><h4>Versions affected<a class="headerlink" href="#id42" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-8-2015-cve-2015-5144">
<span id="july-8-2015-cve-2015-5144"></span><h3>July 8, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-5144">CVE-2015-5144</a><a class="headerlink" href="#july-8-2015-cve-2015-5144" title="永久链接至标题">¶</a></h3>
<p>Header injection possibility since validators accept newlines in input. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jul/08/security-releases/">Full
description</a></p>
<div class="section" id="s-id43">
<span id="id43"></span><h4>Versions affected<a class="headerlink" href="#id43" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-8-2015-cve-2015-5143">
<span id="july-8-2015-cve-2015-5143"></span><h3>July 8, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-5143">CVE-2015-5143</a><a class="headerlink" href="#july-8-2015-cve-2015-5143" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility by filling session store. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jul/08/security-releases/">Full
description</a></p>
<div class="section" id="s-id44">
<span id="id44"></span><h4>Versions affected<a class="headerlink" href="#id44" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/66d12d1ababa8f062857ee5eb43276493720bf16">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/1828f4341ec53a8684112d24031b767eba557663">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/2e47f3e401c29bc2ba5ab794d483cb0820855fb9">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-20-2015-cve-2015-3982">
<span id="may-20-2015-cve-2015-3982"></span><h3>May 20, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-3982">CVE-2015-3982</a><a class="headerlink" href="#may-20-2015-cve-2015-3982" title="永久链接至标题">¶</a></h3>
<p>Fixed session flushing in the cached_db backend. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/may/20/security-release/">Full description</a></p>
<div class="section" id="s-id45">
<span id="id45"></span><h4>Versions affected<a class="headerlink" href="#id45" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-18-2015-cve-2015-2317">
<span id="march-18-2015-cve-2015-2317"></span><h3>March 18, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-2317">CVE-2015-2317</a><a class="headerlink" href="#march-18-2015-cve-2015-2317" title="永久链接至标题">¶</a></h3>
<p>Mitigated possible XSS attack via user-supplied redirect URLs. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/mar/18/security-releases/">Full
description</a></p>
<div class="section" id="s-id46">
<span id="id46"></span><h4>Versions affected<a class="headerlink" href="#id46" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/770427c2896a078925abfca2317486b284d22f04">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-18-2015-cve-2015-2316">
<span id="march-18-2015-cve-2015-2316"></span><h3>March 18, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-2316">CVE-2015-2316</a><a class="headerlink" href="#march-18-2015-cve-2015-2316" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service possibility with <code class="docutils literal notranslate"><span class="pre">strip_tags()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/mar/18/security-releases/">Full description</a></p>
<div class="section" id="s-id47">
<span id="id47"></span><h4>Versions affected<a class="headerlink" href="#id47" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/b6b3cb9899214a23ebb0f4ebf0e0b300b0ee524f">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/5447709a571cd5d95971f1d5d21d4a7edcf85bbd">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-march-9-2015-cve-2015-2241">
<span id="march-9-2015-cve-2015-2241"></span><h3>March 9, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-2241">CVE-2015-2241</a><a class="headerlink" href="#march-9-2015-cve-2015-2241" title="永久链接至标题">¶</a></h3>
<p>XSS attack via properties in <code class="docutils literal notranslate"><span class="pre">ModelAdmin.readonly_fields</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/mar/09/security-releases/">Full description</a></p>
<div class="section" id="s-id48">
<span id="id48"></span><h4>Versions affected<a class="headerlink" href="#id48" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059">(patch)</a></li>
<li>Django 1.8 <a class="reference external" href="https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-january-13-2015-cve-2015-0222">
<span id="january-13-2015-cve-2015-0222"></span><h3>January 13, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-0222">CVE-2015-0222</a><a class="headerlink" href="#january-13-2015-cve-2015-0222" title="永久链接至标题">¶</a></h3>
<p>Database denial-of-service with <code class="docutils literal notranslate"><span class="pre">ModelMultipleChoiceField</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jan/13/security/">Full description</a></p>
<div class="section" id="s-id49">
<span id="id49"></span><h4>Versions affected<a class="headerlink" href="#id49" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/d7a06ee7e571b6dad07c0f5b519b1db02e2a476c">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/bcfb47780ce7caecb409a9e9c1c314266e41d392">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-january-13-2015-cve-2015-0221">
<span id="january-13-2015-cve-2015-0221"></span><h3>January 13, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-0221">CVE-2015-0221</a><a class="headerlink" href="#january-13-2015-cve-2015-0221" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service attack against <code class="docutils literal notranslate"><span class="pre">django.views.static.serve()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jan/13/security/">Full
description</a></p>
<div class="section" id="s-id50">
<span id="id50"></span><h4>Versions affected<a class="headerlink" href="#id50" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/d020da6646c5142bc092247d218a3d1ce3e993f7">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/553779c4055e8742cc832ed525b9ee34b174934f">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/818e59a3f0fbadf6c447754d202d88df025f8f2a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-january-13-2015-cve-2015-0220">
<span id="january-13-2015-cve-2015-0220"></span><h3>January 13, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-0220">CVE-2015-0220</a><a class="headerlink" href="#january-13-2015-cve-2015-0220" title="永久链接至标题">¶</a></h3>
<p>Mitigated possible XSS attack via user-supplied redirect URLs. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jan/13/security/">Full
description</a></p>
<div class="section" id="s-id51">
<span id="id51"></span><h4>Versions affected<a class="headerlink" href="#id51" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/72e0b033662faa11bb7f516f18a132728aa0ae28">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/de67dedc771ad2edec15c1d00c083a1a084e1e89">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-january-13-2015-cve-2015-0219">
<span id="january-13-2015-cve-2015-0219"></span><h3>January 13, 2015 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2015-0219">CVE-2015-0219</a><a class="headerlink" href="#january-13-2015-cve-2015-0219" title="永久链接至标题">¶</a></h3>
<p>WSGI header spoofing via underscore/dash conflation. <a class="reference external" href="https://www.djangoproject.com/weblog/2015/jan/13/security/">Full description</a></p>
<div class="section" id="s-id52">
<span id="id52"></span><h4>Versions affected<a class="headerlink" href="#id52" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/4f6fffc1dc429f1ad428ecf8e6620739e8837450">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/d7597b31d5c03106eeba4be14a33b32a5e25f4ee">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/41b4bc73ee0da7b2e09f4af47fc1fd21144c710f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0483">
<span id="august-20-2014-cve-2014-0483"></span><h3>August 20, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0483">CVE-2014-0483</a><a class="headerlink" href="#august-20-2014-cve-2014-0483" title="永久链接至标题">¶</a></h3>
<p>Data leakage via querystring manipulation in admin.
<a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id53">
<span id="id53"></span><h4>Versions affected<a class="headerlink" href="#id53" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/027bd348642007617518379f8b02546abacaa6e0">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/2a446c896e7c814661fb9c4f212b071b2a7fa446">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/f7c494f2506250b8cb5923714360a3642ed63e0f">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0482">
<span id="august-20-2014-cve-2014-0482"></span><h3>August 20, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0482">CVE-2014-0482</a><a class="headerlink" href="#august-20-2014-cve-2014-0482" title="永久链接至标题">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">RemoteUserMiddleware</span></code> session hijacking. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id54">
<span id="id54"></span><h4>Versions affected<a class="headerlink" href="#id54" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/c9e3b9949cd55f090591fbdc4a114fcb8368b6d9">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/dd68f319b365f6cb38c5a6c106faf4f6142d7d88">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/0268b855f9eab3377f2821164ef3e66037789e09">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/1a45d059c70385fcd6f4a3955f3b4e4cc96d0150">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0481">
<span id="august-20-2014-cve-2014-0481"></span><h3>August 20, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0481">CVE-2014-0481</a><a class="headerlink" href="#august-20-2014-cve-2014-0481" title="永久链接至标题">¶</a></h3>
<p>File upload denial of service. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id55">
<span id="id55"></span><h4>Versions affected<a class="headerlink" href="#id55" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/30042d475bf084c6723c6217a21598d9247a9c41">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/26cd48e166ac4d84317c8ee6d63ac52a87e8da99">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/dd0c3f4ee1a30c1a1e6055061c6ba6e58c6b54d1">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/3123f8452cf49071be9110e277eea60ba0032216">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0480">
<span id="august-20-2014-cve-2014-0480"></span><h3>August 20, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0480">CVE-2014-0480</a><a class="headerlink" href="#august-20-2014-cve-2014-0480" title="永久链接至标题">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">reverse()</span></code> can generate URLs pointing to other hosts. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id56">
<span id="id56"></span><h4>Versions affected<a class="headerlink" href="#id56" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/c2fe73133b62a1d9e8f7a6b43966570b14618d7e">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/45ac9d4fb087d21902469fc22643f5201d41a0cd">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/da051da8df5e69944745072611351d4cfc6435d5">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/bf650a2ee78c6d1f4544a875dcc777cf27fe93e9">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-18-2014-cve-2014-3730">
<span id="may-18-2014-cve-2014-3730"></span><h3>May 18, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-3730">CVE-2014-3730</a><a class="headerlink" href="#may-18-2014-cve-2014-3730" title="永久链接至标题">¶</a></h3>
<p>Malformed URLs from user input incorrectly validated. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id57">
<span id="id57"></span><h4>Versions affected<a class="headerlink" href="#id57" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/e7b0cace455c2da24492660636bfd48c45a19cdf">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-18-2014-cve-2014-1418">
<span id="may-18-2014-cve-2014-1418"></span><h3>May 18, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-1418">CVE-2014-1418</a><a class="headerlink" href="#may-18-2014-cve-2014-1418" title="永久链接至标题">¶</a></h3>
<p>Caches may be allowed to store and serve private data. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id58">
<span id="id58"></span><h4>Versions affected<a class="headerlink" href="#id58" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/28e23306aa53bbbb8fb87db85f99d970b051026c">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/4001ec8698f577b973c5a540801d8a0bbea1205b">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/1abcf3a808b35abae5d425ed4d44cb6e886dc769">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-21-2014-cve-2014-0474">
<span id="april-21-2014-cve-2014-0474"></span><h3>April 21, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0474">CVE-2014-0474</a><a class="headerlink" href="#april-21-2014-cve-2014-0474" title="永久链接至标题">¶</a></h3>
<p>MySQL typecasting causes unexpected query results. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/apr/21/security/">Full description</a></p>
<div class="section" id="s-id59">
<span id="id59"></span><h4>Versions affected<a class="headerlink" href="#id59" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/34526c2f56b863c2103655a0893ac801667e86ea">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-21-2014-cve-2014-0473">
<span id="april-21-2014-cve-2014-0473"></span><h3>April 21, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0473">CVE-2014-0473</a><a class="headerlink" href="#april-21-2014-cve-2014-0473" title="永久链接至标题">¶</a></h3>
<p>Caching of anonymous pages could reveal CSRF token. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/apr/21/security/">Full description</a></p>
<div class="section" id="s-id60">
<span id="id60"></span><h4>Versions affected<a class="headerlink" href="#id60" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/1170f285ddd6a94a65f911a27788ba49ca08c0b0">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/d63e20942f3024f24cb8cd85a49461ba8a9b6736">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/380545bf85cbf17fc698d136815b7691f8d023ca">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-21-2014-cve-2014-0472">
<span id="april-21-2014-cve-2014-0472"></span><h3>April 21, 2014 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2014-0472">CVE-2014-0472</a><a class="headerlink" href="#april-21-2014-cve-2014-0472" title="永久链接至标题">¶</a></h3>
<p>Unexpected code execution using <code class="docutils literal notranslate"><span class="pre">reverse()</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/apr/21/security/">Full description</a></p>
<div class="section" id="s-id61">
<span id="id61"></span><h4>Versions affected<a class="headerlink" href="#id61" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/546740544d7f69254a67b06a3fc7fa0c43512958">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-14-2013-cve-2013-1443">
<span id="september-14-2013-cve-2013-1443"></span><h3>September 14, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-1443">CVE-2013-1443</a><a class="headerlink" href="#september-14-2013-cve-2013-1443" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via large passwords. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/sep/15/security/">Full description</a></p>
<div class="section" id="s-id62">
<span id="id62"></span><h4>Versions affected<a class="headerlink" href="#id62" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368">(patch</a> and <a class="reference external" href="https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714">Python compatibility fix)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-10-2013-cve-2013-4315">
<span id="september-10-2013-cve-2013-4315"></span><h3>September 10, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-4315">CVE-2013-4315</a><a class="headerlink" href="#september-10-2013-cve-2013-4315" title="永久链接至标题">¶</a></h3>
<p>Directory-traversal via <code class="docutils literal notranslate"><span class="pre">ssi</span></code> template tag. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id63">
<span id="id63"></span><h4>Versions affected<a class="headerlink" href="#id63" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-13-2013-cve-2013-6044">
<span id="august-13-2013-cve-2013-6044"></span><h3>August 13, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-6044">CVE-2013-6044</a><a class="headerlink" href="#august-13-2013-cve-2013-6044" title="永久链接至标题">¶</a></h3>
<p>Possible XSS via unvalidated URL redirect schemes. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id64">
<span id="id64"></span><h4>Versions affected<a class="headerlink" href="#id64" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-13-2013-cve-2013-4249">
<span id="august-13-2013-cve-2013-4249"></span><h3>August 13, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-4249">CVE-2013-4249</a><a class="headerlink" href="#august-13-2013-cve-2013-4249" title="永久链接至标题">¶</a></h3>
<p>XSS via admin trusting <code class="docutils literal notranslate"><span class="pre">URLField</span></code> values. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id65">
<span id="id65"></span><h4>Versions affected<a class="headerlink" href="#id65" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-cve-2013-0306">
<span id="february-19-2013-cve-2013-0306"></span><h3>February 19, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-0306">CVE-2013-0306</a><a class="headerlink" href="#february-19-2013-cve-2013-0306" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via formset <code class="docutils literal notranslate"><span class="pre">max_num</span></code> bypass. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id66">
<span id="id66"></span><h4>Versions affected<a class="headerlink" href="#id66" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-cve-2013-0305">
<span id="february-19-2013-cve-2013-0305"></span><h3>February 19, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-0305">CVE-2013-0305</a><a class="headerlink" href="#february-19-2013-cve-2013-0305" title="永久链接至标题">¶</a></h3>
<p>Information leakage via admin history log. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id67">
<span id="id67"></span><h4>Versions affected<a class="headerlink" href="#id67" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-cve-2013-1664-cve-2013-1665">
<span id="february-19-2013-cve-2013-1664-cve-2013-1665"></span><h3>February 19, 2013 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-1664">CVE-2013-1664</a> / <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2013-1665">CVE-2013-1665</a><a class="headerlink" href="#february-19-2013-cve-2013-1664-cve-2013-1665" title="永久链接至标题">¶</a></h3>
<p>Entity-based attacks against Python XML libraries. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id68">
<span id="id68"></span><h4>Versions affected<a class="headerlink" href="#id68" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-no-cve">
<span id="february-19-2013-no-cve"></span><h3>February 19, 2013 - No CVE<a class="headerlink" href="#february-19-2013-no-cve" title="永久链接至标题">¶</a></h3>
<p>Additional hardening of <code class="docutils literal notranslate"><span class="pre">Host</span></code> header handling. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id69">
<span id="id69"></span><h4>Versions affected<a class="headerlink" href="#id69" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-10-2012-no-cve-2">
<span id="december-10-2012-no-cve-2"></span><h3>December 10, 2012 - No CVE 2<a class="headerlink" href="#december-10-2012-no-cve-2" title="永久链接至标题">¶</a></h3>
<p>Additional hardening of redirect validation. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/dec/10/security/">Full description</a></p>
<div class="section" id="s-id70">
<span id="id70"></span><h4>Versions affected<a class="headerlink" href="#id70" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343">(patch)</a></li>
<li>Django 1.4: <a class="reference external" href="https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-10-2012-no-cve-1">
<span id="december-10-2012-no-cve-1"></span><h3>December 10, 2012 - No CVE 1<a class="headerlink" href="#december-10-2012-no-cve-1" title="永久链接至标题">¶</a></h3>
<p>Additional hardening of <code class="docutils literal notranslate"><span class="pre">Host</span></code> header handling. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/dec/10/security/">Full description</a></p>
<div class="section" id="s-id71">
<span id="id71"></span><h4>Versions affected<a class="headerlink" href="#id71" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-october-17-2012-cve-2012-4520">
<span id="october-17-2012-cve-2012-4520"></span><h3>October 17, 2012 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2012-4520">CVE-2012-4520</a><a class="headerlink" href="#october-17-2012-cve-2012-4520" title="永久链接至标题">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">Host</span></code> header poisoning. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/oct/17/security/">Full description</a></p>
<div class="section" id="s-id72">
<span id="id72"></span><h4>Versions affected<a class="headerlink" href="#id72" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-30-2012-cve-2012-3444">
<span id="july-30-2012-cve-2012-3444"></span><h3>July 30, 2012 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2012-3444">CVE-2012-3444</a><a class="headerlink" href="#july-30-2012-cve-2012-3444" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via large image files. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id73">
<span id="id73"></span><h4>Versions affected<a class="headerlink" href="#id73" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-30-2012-cve-2012-3443">
<span id="july-30-2012-cve-2012-3443"></span><h3>July 30, 2012 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2012-3443">CVE-2012-3443</a><a class="headerlink" href="#july-30-2012-cve-2012-3443" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via compressed image files. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id74">
<span id="id74"></span><h4>Versions affected<a class="headerlink" href="#id74" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446">(patch)</a></li>
<li>Django 1.4: <a class="reference external" href="https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-30-2012-cve-2012-3442">
<span id="july-30-2012-cve-2012-3442"></span><h3>July 30, 2012 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2012-3442">CVE-2012-3442</a><a class="headerlink" href="#july-30-2012-cve-2012-3442" title="永久链接至标题">¶</a></h3>
<p>XSS via failure to validate redirect scheme. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id75">
<span id="id75"></span><h4>Versions affected<a class="headerlink" href="#id75" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d">(patch)</a></li>
<li>Django 1.4: <a class="reference external" href="https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4140">
<span id="september-9-2011-cve-2011-4140"></span><h3>September 9, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-4140">CVE-2011-4140</a><a class="headerlink" href="#september-9-2011-cve-2011-4140" title="永久链接至标题">¶</a></h3>
<p>Potential CSRF via <code class="docutils literal notranslate"><span class="pre">Host</span></code> header. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id76">
<span id="id76"></span><h4>Versions affected<a class="headerlink" href="#id76" title="永久链接至标题">¶</a></h4>
<p>This notification was an advisory only, so no patches were issued.</p>
<ul class="simple">
<li>Django 1.2</li>
<li>Django 1.3</li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4139">
<span id="september-9-2011-cve-2011-4139"></span><h3>September 9, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-4139">CVE-2011-4139</a><a class="headerlink" href="#september-9-2011-cve-2011-4139" title="永久链接至标题">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">Host</span></code> header cache poisoning. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id77">
<span id="id77"></span><h4>Versions affected<a class="headerlink" href="#id77" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d">(patch)</a></li>
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4138">
<span id="september-9-2011-cve-2011-4138"></span><h3>September 9, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-4138">CVE-2011-4138</a><a class="headerlink" href="#september-9-2011-cve-2011-4138" title="永久链接至标题">¶</a></h3>
<p>Information leakage/arbitrary request issuance via <code class="docutils literal notranslate"><span class="pre">URLField.verify_exists</span></code>.
<a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id78">
<span id="id78"></span><h4>Versions affected<a class="headerlink" href="#id78" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.2: <a class="reference external" href="https://github.com/django/django/commit/7268f8af86186518821d775c530d5558fd726930">(patch)</a></li>
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/1a76dbefdfc60e2d5954c0ba614c3d054ba9c3f0">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4137">
<span id="september-9-2011-cve-2011-4137"></span><h3>September 9, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-4137">CVE-2011-4137</a><a class="headerlink" href="#september-9-2011-cve-2011-4137" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via <code class="docutils literal notranslate"><span class="pre">URLField.verify_exists</span></code>. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id79">
<span id="id79"></span><h4>Versions affected<a class="headerlink" href="#id79" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/7268f8af86186518821d775c530d5558fd726930">(patch)</a></li>
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/1a76dbefdfc60e2d5954c0ba614c3d054ba9c3f0">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4136">
<span id="september-9-2011-cve-2011-4136"></span><h3>September 9, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-4136">CVE-2011-4136</a><a class="headerlink" href="#september-9-2011-cve-2011-4136" title="永久链接至标题">¶</a></h3>
<p>Session manipulation when using memory-cache-backed session. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id80">
<span id="id80"></span><h4>Versions affected<a class="headerlink" href="#id80" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296">(patch)</a></li>
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-8-2011-cve-2011-0698">
<span id="february-8-2011-cve-2011-0698"></span><h3>February 8, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-0698">CVE-2011-0698</a><a class="headerlink" href="#february-8-2011-cve-2011-0698" title="永久链接至标题">¶</a></h3>
<p>Directory-traversal on Windows via incorrect path-separator handling. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/feb/08/security/">Full
description</a></p>
<div class="section" id="s-id81">
<span id="id81"></span><h4>Versions affected<a class="headerlink" href="#id81" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/570a32a047ea56265646217264b0d3dab1a14dbd">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/194566480b15cf4e294d3f03ff587019b74044b2">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-8-2011-cve-2011-0697">
<span id="february-8-2011-cve-2011-0697"></span><h3>February 8, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-0697">CVE-2011-0697</a><a class="headerlink" href="#february-8-2011-cve-2011-0697" title="永久链接至标题">¶</a></h3>
<p>XSS via unsanitized names of uploaded files. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/feb/08/security/">Full description</a></p>
<div class="section" id="s-id82">
<span id="id82"></span><h4>Versions affected<a class="headerlink" href="#id82" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/1966786d2dde73e17f39cf340eb33fcb5d73904e">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/1f814a9547842dcfabdae09573055984af9d3fab">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-8-2011-cve-2011-0696">
<span id="february-8-2011-cve-2011-0696"></span><h3>February 8, 2011 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2011-0696">CVE-2011-0696</a><a class="headerlink" href="#february-8-2011-cve-2011-0696" title="永久链接至标题">¶</a></h3>
<p>CSRF via forged HTTP headers. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/feb/08/security/">Full description</a></p>
<div class="section" id="s-id83">
<span id="id83"></span><h4>Versions affected<a class="headerlink" href="#id83" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/408c5c873ce1437c7eee9544ff279ecbad7e150a">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/818e70344e7193f6ebc73c82ed574e6ce3c91afc">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-22-2010-cve-2010-4535">
<span id="december-22-2010-cve-2010-4535"></span><h3>December 22, 2010 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2010-4535">CVE-2010-4535</a><a class="headerlink" href="#december-22-2010-cve-2010-4535" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service in password-reset mechanism. <a class="reference external" href="https://www.djangoproject.com/weblog/2010/dec/22/security/">Full description</a></p>
<div class="section" id="s-id84">
<span id="id84"></span><h4>Versions affected<a class="headerlink" href="#id84" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/7f8dd9cbac074389af8d8fd235bf2cb657227b9a">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/d5d8942a160685c403d381a279e72e09de5489a9">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-22-2010-cve-2010-4534">
<span id="december-22-2010-cve-2010-4534"></span><h3>December 22, 2010 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2010-4534">CVE-2010-4534</a><a class="headerlink" href="#december-22-2010-cve-2010-4534" title="永久链接至标题">¶</a></h3>
<p>Information leakage in administrative interface. <a class="reference external" href="https://www.djangoproject.com/weblog/2010/dec/22/security/">Full description</a></p>
<div class="section" id="s-id85">
<span id="id85"></span><h4>Versions affected<a class="headerlink" href="#id85" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/17084839fd7e267da5729f2a27753322b9d415a0">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/85207a245bf09fdebe486b4c7bbcb65300f2a693">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-8-2010-cve-2010-3082">
<span id="september-8-2010-cve-2010-3082"></span><h3>September 8, 2010 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2010-3082">CVE-2010-3082</a><a class="headerlink" href="#september-8-2010-cve-2010-3082" title="永久链接至标题">¶</a></h3>
<p>XSS via trusting unsafe cookie value. <a class="reference external" href="https://www.djangoproject.com/weblog/2010/sep/08/security-release/">Full description</a></p>
<div class="section" id="s-id86">
<span id="id86"></span><h4>Versions affected<a class="headerlink" href="#id86" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/7f84657b6b2243cc787bdb9f296710c8d13ad0bd">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-october-9-2009-cve-2009-3965">
<span id="october-9-2009-cve-2009-3965"></span><h3>October 9, 2009 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2009-3965">CVE-2009-3965</a><a class="headerlink" href="#october-9-2009-cve-2009-3965" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via pathological regular expression performance. <a class="reference external" href="https://www.djangoproject.com/weblog/2009/oct/09/security/">Full
description</a></p>
<div class="section" id="s-id87">
<span id="id87"></span><h4>Versions affected<a class="headerlink" href="#id87" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 1.0 <a class="reference external" href="https://github.com/django/django/commit/594a28a9044120bed58671dde8a805c9e0f6c79a">(patch)</a></li>
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/e3e992e18b368fcd56aabafc1b5bf80a6e11b495">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-28-2009-cve-2009-2659">
<span id="july-28-2009-cve-2009-2659"></span><h3>July 28, 2009 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2009-2659">CVE-2009-2659</a><a class="headerlink" href="#july-28-2009-cve-2009-2659" title="永久链接至标题">¶</a></h3>
<p>Directory-traversal in development server media handler. <a class="reference external" href="https://www.djangoproject.com/weblog/2009/jul/28/security/">Full description</a></p>
<div class="section" id="s-id88">
<span id="id88"></span><h4>Versions affected<a class="headerlink" href="#id88" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/da85d76fd6ca846f3b0ff414e042ddb5e62e2e69">(patch)</a></li>
<li>Django 1.0 <a class="reference external" href="https://github.com/django/django/commit/df7f917b7f51ba969faa49d000ffc79572c5dcb4">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-2-2008-cve-2008-3909">
<span id="september-2-2008-cve-2008-3909"></span><h3>September 2, 2008 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2008-3909">CVE-2008-3909</a><a class="headerlink" href="#september-2-2008-cve-2008-3909" title="永久链接至标题">¶</a></h3>
<p>CSRF via preservation of POST data during admin login. <a class="reference external" href="https://www.djangoproject.com/weblog/2008/sep/02/security/">Full description</a></p>
<div class="section" id="s-id89">
<span id="id89"></span><h4>Versions affected<a class="headerlink" href="#id89" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81">(patch)</a></li>
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-14-2008-cve-2008-2302">
<span id="may-14-2008-cve-2008-2302"></span><h3>May 14, 2008 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2008-2302">CVE-2008-2302</a><a class="headerlink" href="#may-14-2008-cve-2008-2302" title="永久链接至标题">¶</a></h3>
<p>XSS via admin login redirect. <a class="reference external" href="https://www.djangoproject.com/weblog/2008/may/14/security/">Full description</a></p>
<div class="section" id="s-id90">
<span id="id90"></span><h4>Versions affected<a class="headerlink" href="#id90" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/6e657e2c404a96e744748209e896d8a69c15fdf2">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/50ce7fb57d79e8940ccf6e2781f2f01df029b5c5">(patch)</a></li>
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/7791e5c050cebf86d868c5dab7092185b125fdc9">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-october-26-2007-cve-2007-5712">
<span id="october-26-2007-cve-2007-5712"></span><h3>October 26, 2007 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2007-5712">CVE-2007-5712</a><a class="headerlink" href="#october-26-2007-cve-2007-5712" title="永久链接至标题">¶</a></h3>
<p>Denial-of-service via arbitrarily-large <code class="docutils literal notranslate"><span class="pre">Accept-Language</span></code> header. <a class="reference external" href="https://www.djangoproject.com/weblog/2007/oct/26/security-fix/">Full
description</a></p>
<div class="section" id="s-id91">
<span id="id91"></span><h4>Versions affected<a class="headerlink" href="#id91" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234">(patch)</a></li>
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f">(patch)</a></li>
</ul>
</div>
</div>
</div>
<div class="section" id="s-issues-prior-to-django-s-security-process">
<span id="issues-prior-to-django-s-security-process"></span><h2>Issues prior to Django's security process<a class="headerlink" href="#issues-prior-to-django-s-security-process" title="永久链接至标题">¶</a></h2>
<p>Some security issues were handled before Django had a formalized
security process in use. For these, new releases may not have been
issued at the time and CVEs may not have been assigned.</p>
<div class="section" id="s-january-21-2007-cve-2007-0405">
<span id="january-21-2007-cve-2007-0405"></span><h3>January 21, 2007 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2007-0405">CVE-2007-0405</a><a class="headerlink" href="#january-21-2007-cve-2007-0405" title="永久链接至标题">¶</a></h3>
<p>Apparent &quot;caching&quot; of authenticated user. <a class="reference external" href="https://www.djangoproject.com/weblog/2007/jan/21/0951/">Full description</a></p>
<div class="section" id="s-id92">
<span id="id92"></span><h4>Versions affected<a class="headerlink" href="#id92" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/e89f0a65581f82a5740bfe989136cea75d09cd67">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-16-2006-cve-2007-0404">
<span id="august-16-2006-cve-2007-0404"></span><h3>August 16, 2006 - <a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2007-0404">CVE-2007-0404</a><a class="headerlink" href="#august-16-2006-cve-2007-0404" title="永久链接至标题">¶</a></h3>
<p>Filename validation issue in translation framework. <a class="reference external" href="https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/">Full description</a></p>
<div class="section" id="s-id93">
<span id="id93"></span><h4>Versions affected<a class="headerlink" href="#id93" title="永久链接至标题">¶</a></h4>
<ul class="simple">
<li>Django 0.90 <a class="reference external" href="https://github.com/django/django/commit/6eefa521be3c658dc0b38f8d62d52e9801e198ab">(patch)</a></li>
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/d31e39173c29537e6a1613278c93634c18a3206e">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/a132d411c6986418ee6c0edc331080aa792fee6e">(patch)</a>
(released January 21 2007)</li>
</ul>
</div>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Archive of security issues</a><ul>
<li><a class="reference internal" href="#issues-under-django-s-security-process">Issues under Django's security process</a><ul>
<li><a class="reference internal" href="#july-1-2021-cve-2021-35042">July 1, 2021 - CVE-2021-35042</a><ul>
<li><a class="reference internal" href="#versions-affected">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#june-2-2021-cve-2021-33203">June 2, 2021 - CVE-2021-33203</a><ul>
<li><a class="reference internal" href="#id1">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#june-2-2021-cve-2021-33571">June 2, 2021 - CVE-2021-33571</a><ul>
<li><a class="reference internal" href="#id2">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-6-2021-cve-2021-32052">May 6, 2021 - CVE-2021-32052</a><ul>
<li><a class="reference internal" href="#id3">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-4-2021-cve-2021-31542">May 4, 2021 - CVE-2021-31542</a><ul>
<li><a class="reference internal" href="#id4">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-6-2021-cve-2021-28658">April 6, 2021 - CVE-2021-28658</a><ul>
<li><a class="reference internal" href="#id5">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2021-cve-2021-23336">February 19, 2021 - CVE-2021-23336</a><ul>
<li><a class="reference internal" href="#id6">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-1-2021-cve-2021-3281">February 1, 2021 - CVE-2021-3281</a><ul>
<li><a class="reference internal" href="#id7">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-1-2020-cve-2020-24584">September 1, 2020 - CVE-2020-24584</a><ul>
<li><a class="reference internal" href="#id8">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-1-2020-cve-2020-24583">September 1, 2020 - CVE-2020-24583</a><ul>
<li><a class="reference internal" href="#id9">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#june-3-2020-cve-2020-13596">June 3, 2020 - CVE-2020-13596</a><ul>
<li><a class="reference internal" href="#id10">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#june-3-2020-cve-2020-13254">June 3, 2020 - CVE-2020-13254</a><ul>
<li><a class="reference internal" href="#id11">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-4-2020-cve-2020-9402">March 4, 2020 - CVE-2020-9402</a><ul>
<li><a class="reference internal" href="#id12">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-3-2020-cve-2020-7471">February 3, 2020 - CVE-2020-7471</a><ul>
<li><a class="reference internal" href="#id13">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-18-2019-cve-2019-19844">December 18, 2019 - CVE-2019-19844</a><ul>
<li><a class="reference internal" href="#id14">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-2-2019-cve-2019-19118">December 2, 2019 - CVE-2019-19118</a><ul>
<li><a class="reference internal" href="#id15">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-1-2019-cve-2019-14235">August 1, 2019 - CVE-2019-14235</a><ul>
<li><a class="reference internal" href="#id16">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-1-2019-cve-2019-14234">August 1, 2019 - CVE-2019-14234</a><ul>
<li><a class="reference internal" href="#id17">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-1-2019-cve-2019-14233">August 1, 2019 - CVE-2019-14233</a><ul>
<li><a class="reference internal" href="#id18">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-1-2019-cve-2019-14232">August 1, 2019 - CVE-2019-14232</a><ul>
<li><a class="reference internal" href="#id19">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-1-2019-cve-2019-12781">July 1, 2019 - CVE-2019-12781</a><ul>
<li><a class="reference internal" href="#id20">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#june-3-2019-cve-2019-12308">June 3, 2019 - CVE-2019-12308</a><ul>
<li><a class="reference internal" href="#id21">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#june-3-2019-cve-2019-11358">June 3, 2019 - CVE-2019-11358</a><ul>
<li><a class="reference internal" href="#id22">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-11-2019-cve-2019-6975">February 11, 2019 - CVE-2019-6975</a><ul>
<li><a class="reference internal" href="#id23">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#january-4-2019-cve-2019-3498">January 4, 2019 - CVE-2019-3498</a><ul>
<li><a class="reference internal" href="#id24">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#october-1-2018-cve-2018-16984">October 1, 2018 - CVE-2018-16984</a><ul>
<li><a class="reference internal" href="#id25">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-1-2018-cve-2018-14574">August 1, 2018 - CVE-2018-14574</a><ul>
<li><a class="reference internal" href="#id26">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-6-2018-cve-2018-7537">March 6, 2018 - CVE-2018-7537</a><ul>
<li><a class="reference internal" href="#id27">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-6-2018-cve-2018-7536">March 6, 2018 - CVE-2018-7536</a><ul>
<li><a class="reference internal" href="#id28">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-1-2018-cve-2018-6188">February 1, 2018 - CVE-2018-6188</a><ul>
<li><a class="reference internal" href="#id29">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-5-2017-cve-2017-12794">September 5, 2017 - CVE-2017-12794</a><ul>
<li><a class="reference internal" href="#id30">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-4-2017-cve-2017-7234">April 4, 2017 - CVE-2017-7234</a><ul>
<li><a class="reference internal" href="#id31">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-4-2017-cve-2017-7233">April 4, 2017 - CVE-2017-7233</a><ul>
<li><a class="reference internal" href="#id32">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#november-1-2016-cve-2016-9014">November 1, 2016 - CVE-2016-9014</a><ul>
<li><a class="reference internal" href="#id33">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#november-1-2016-cve-2016-9013">November 1, 2016 - CVE-2016-9013</a><ul>
<li><a class="reference internal" href="#id34">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-26-2016-cve-2016-7401">September 26, 2016 - CVE-2016-7401</a><ul>
<li><a class="reference internal" href="#id35">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-18-2016-cve-2016-6186">July 18, 2016 - CVE-2016-6186</a><ul>
<li><a class="reference internal" href="#id36">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-1-2016-cve-2016-2513">March 1, 2016 - CVE-2016-2513</a><ul>
<li><a class="reference internal" href="#id37">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-1-2016-cve-2016-2512">March 1, 2016 - CVE-2016-2512</a><ul>
<li><a class="reference internal" href="#id38">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-1-2016-cve-2016-2048">February 1, 2016 - CVE-2016-2048</a><ul>
<li><a class="reference internal" href="#id39">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#november-24-2015-cve-2015-8213">November 24, 2015 - CVE-2015-8213</a><ul>
<li><a class="reference internal" href="#id40">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-18-2015-cve-2015-5963-cve-2015-5964">August 18, 2015 - CVE-2015-5963 / CVE-2015-5964</a><ul>
<li><a class="reference internal" href="#id41">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-8-2015-cve-2015-5145">July 8, 2015 - CVE-2015-5145</a><ul>
<li><a class="reference internal" href="#id42">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-8-2015-cve-2015-5144">July 8, 2015 - CVE-2015-5144</a><ul>
<li><a class="reference internal" href="#id43">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-8-2015-cve-2015-5143">July 8, 2015 - CVE-2015-5143</a><ul>
<li><a class="reference internal" href="#id44">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-20-2015-cve-2015-3982">May 20, 2015 - CVE-2015-3982</a><ul>
<li><a class="reference internal" href="#id45">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-18-2015-cve-2015-2317">March 18, 2015 - CVE-2015-2317</a><ul>
<li><a class="reference internal" href="#id46">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-18-2015-cve-2015-2316">March 18, 2015 - CVE-2015-2316</a><ul>
<li><a class="reference internal" href="#id47">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#march-9-2015-cve-2015-2241">March 9, 2015 - CVE-2015-2241</a><ul>
<li><a class="reference internal" href="#id48">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#january-13-2015-cve-2015-0222">January 13, 2015 - CVE-2015-0222</a><ul>
<li><a class="reference internal" href="#id49">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#january-13-2015-cve-2015-0221">January 13, 2015 - CVE-2015-0221</a><ul>
<li><a class="reference internal" href="#id50">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#january-13-2015-cve-2015-0220">January 13, 2015 - CVE-2015-0220</a><ul>
<li><a class="reference internal" href="#id51">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#january-13-2015-cve-2015-0219">January 13, 2015 - CVE-2015-0219</a><ul>
<li><a class="reference internal" href="#id52">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0483">August 20, 2014 - CVE-2014-0483</a><ul>
<li><a class="reference internal" href="#id53">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0482">August 20, 2014 - CVE-2014-0482</a><ul>
<li><a class="reference internal" href="#id54">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0481">August 20, 2014 - CVE-2014-0481</a><ul>
<li><a class="reference internal" href="#id55">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0480">August 20, 2014 - CVE-2014-0480</a><ul>
<li><a class="reference internal" href="#id56">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-18-2014-cve-2014-3730">May 18, 2014 - CVE-2014-3730</a><ul>
<li><a class="reference internal" href="#id57">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-18-2014-cve-2014-1418">May 18, 2014 - CVE-2014-1418</a><ul>
<li><a class="reference internal" href="#id58">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-21-2014-cve-2014-0474">April 21, 2014 - CVE-2014-0474</a><ul>
<li><a class="reference internal" href="#id59">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-21-2014-cve-2014-0473">April 21, 2014 - CVE-2014-0473</a><ul>
<li><a class="reference internal" href="#id60">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-21-2014-cve-2014-0472">April 21, 2014 - CVE-2014-0472</a><ul>
<li><a class="reference internal" href="#id61">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-14-2013-cve-2013-1443">September 14, 2013 - CVE-2013-1443</a><ul>
<li><a class="reference internal" href="#id62">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-10-2013-cve-2013-4315">September 10, 2013 - CVE-2013-4315</a><ul>
<li><a class="reference internal" href="#id63">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-13-2013-cve-2013-6044">August 13, 2013 - CVE-2013-6044</a><ul>
<li><a class="reference internal" href="#id64">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-13-2013-cve-2013-4249">August 13, 2013 - CVE-2013-4249</a><ul>
<li><a class="reference internal" href="#id65">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-cve-2013-0306">February 19, 2013 - CVE-2013-0306</a><ul>
<li><a class="reference internal" href="#id66">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-cve-2013-0305">February 19, 2013 - CVE-2013-0305</a><ul>
<li><a class="reference internal" href="#id67">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-cve-2013-1664-cve-2013-1665">February 19, 2013 - CVE-2013-1664 / CVE-2013-1665</a><ul>
<li><a class="reference internal" href="#id68">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-no-cve">February 19, 2013 - No CVE</a><ul>
<li><a class="reference internal" href="#id69">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-10-2012-no-cve-2">December 10, 2012 - No CVE 2</a><ul>
<li><a class="reference internal" href="#id70">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-10-2012-no-cve-1">December 10, 2012 - No CVE 1</a><ul>
<li><a class="reference internal" href="#id71">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#october-17-2012-cve-2012-4520">October 17, 2012 - CVE-2012-4520</a><ul>
<li><a class="reference internal" href="#id72">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-30-2012-cve-2012-3444">July 30, 2012 - CVE-2012-3444</a><ul>
<li><a class="reference internal" href="#id73">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-30-2012-cve-2012-3443">July 30, 2012 - CVE-2012-3443</a><ul>
<li><a class="reference internal" href="#id74">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-30-2012-cve-2012-3442">July 30, 2012 - CVE-2012-3442</a><ul>
<li><a class="reference internal" href="#id75">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4140">September 9, 2011 - CVE-2011-4140</a><ul>
<li><a class="reference internal" href="#id76">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4139">September 9, 2011 - CVE-2011-4139</a><ul>
<li><a class="reference internal" href="#id77">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4138">September 9, 2011 - CVE-2011-4138</a><ul>
<li><a class="reference internal" href="#id78">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4137">September 9, 2011 - CVE-2011-4137</a><ul>
<li><a class="reference internal" href="#id79">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4136">September 9, 2011 - CVE-2011-4136</a><ul>
<li><a class="reference internal" href="#id80">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-8-2011-cve-2011-0698">February 8, 2011 - CVE-2011-0698</a><ul>
<li><a class="reference internal" href="#id81">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-8-2011-cve-2011-0697">February 8, 2011 - CVE-2011-0697</a><ul>
<li><a class="reference internal" href="#id82">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-8-2011-cve-2011-0696">February 8, 2011 - CVE-2011-0696</a><ul>
<li><a class="reference internal" href="#id83">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-22-2010-cve-2010-4535">December 22, 2010 - CVE-2010-4535</a><ul>
<li><a class="reference internal" href="#id84">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-22-2010-cve-2010-4534">December 22, 2010 - CVE-2010-4534</a><ul>
<li><a class="reference internal" href="#id85">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-8-2010-cve-2010-3082">September 8, 2010 - CVE-2010-3082</a><ul>
<li><a class="reference internal" href="#id86">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#october-9-2009-cve-2009-3965">October 9, 2009 - CVE-2009-3965</a><ul>
<li><a class="reference internal" href="#id87">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-28-2009-cve-2009-2659">July 28, 2009 - CVE-2009-2659</a><ul>
<li><a class="reference internal" href="#id88">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-2-2008-cve-2008-3909">September 2, 2008 - CVE-2008-3909</a><ul>
<li><a class="reference internal" href="#id89">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-14-2008-cve-2008-2302">May 14, 2008 - CVE-2008-2302</a><ul>
<li><a class="reference internal" href="#id90">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#october-26-2007-cve-2007-5712">October 26, 2007 - CVE-2007-5712</a><ul>
<li><a class="reference internal" href="#id91">Versions affected</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#issues-prior-to-django-s-security-process">Issues prior to Django's security process</a><ul>
<li><a class="reference internal" href="#january-21-2007-cve-2007-0405">January 21, 2007 - CVE-2007-0405</a><ul>
<li><a class="reference internal" href="#id92">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-16-2006-cve-2007-0404">August 16, 2006 - CVE-2007-0404</a><ul>
<li><a class="reference internal" href="#id93">Versions affected</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="0.95.html"
                        title="上一章">Django version 0.95 release notes</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="../internals/index.html"
                        title="下一章">Django internals</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/security.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">7月 23, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="0.95.html" title="Django version 0.95 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="../internals/index.html" title="Django internals">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>